Upgrade Exchange 2003 to Exchange 2010 - Part II

In Jaap's second article on upgrading straight from Exchange Server 2003 to 2010, he explains how to move the various services from the older version and fully decommission the Exchange Server 2003 servers. Jaap's first article can be found here.

In my previous article I explained the initial steps that are needed when you want to upgrade an existing Exchange 2003 environment to Exchange Server 2010. The Active Directory was upgraded, the new namespace is planned, a combined CAS/HUB server installed as well as a Mailbox Server, including a storage design. The last step that was performed in the previous article was the Public Folder replication from Exchange Server 2003 to Exchange Server 2010.

In this article we will actually move the various services from Exchange Server 2003 to Exchange Server 2010 and fully decommission the Exchange Server 2003 servers.

Offline Address Book generation

Changing the Offline Address Book generation isn’t the most difficult part of a migration. Logon to the new Exchange 2010 Server and open the Exchange Management Console. In the navigation pane, navigate to the Organization Configuration and select the Mailbox option. In the results pane, select the Offline Address Book tab. Right here you’ll see that the ‘old’ 2003 Mailbox Server is the Offline Address Book generation server. Right click this server and select ‘Move…’. The Move Offline Address Book wizard will appear, use the Browse button to select the Exchange 2010 Mailbox Server Role as the new generation server. Click the Move button to finish the wizard. When finished click the Finish button.

Address List conversion

Exchange Server 2010 uses E-mail Address Policies, just like Exchange Server 2007. And, as with Exchange Server 2007 these are not compatible with the Recipient Policies used in Exchange Server 2003. The next step is to convert the Recipient Policies to Exchange Server 2010 Email Address Policies.

There’s no way to achieve this using the Exchange Management Console so we need the Exchange Management Shell. When you try to edit a Recipient Policy in Exchange Server 2010 Management Console it gives a clue on how to convert the Recipient Policies to E-mail Address Policies:

Besides the fact that you have to convert the Recipient Policies to Email Address Policies there’s another very important aspect. Exchange Server 2003 can use LDAP queries for Recipient Policies while Exchange Server 2007 and Exchange Server 2010 use a new technique called OPATH filtering for creating queries. The OPATH filtering syntax replaces the LDAP filtering syntax. Using OPATH it is possible to create filters directly in the Exchange Management Shell using the –RecipientFilter parameter.

LDAP filters are supported in Exchange Server 2010, and they continue to work, but they only exist on objects that are migrated from Exchange Server 2003 or earlier.But if you want to edit LDAP filters they first need to be converted to OPATH filters. Microsoft has created a script that can convert your LDAP filters to OPATH filters. Check the Exchange team blog for more information: “Need help converting your LDAP filters to OPATH?

If you don’t use any LDAP filtering in your Recipient Policies you can convert the Recipient Policies directly to Email Address Policies.

The Set-EmailAddressPolicy cmdlet is needed for this.

Open the Exchange Management Shell and enter the following command:

Get-EmailAddressPolicy | where {$_.RecipientFilterType –eq “Legacy”}

This will show a list of Recipient Policies that are available in your Exchange organization. We can use this output by piping it into the Set-EmailAddressPolicy cmdlet:

The Recipient Policies are now converted to Exchange Server 2010 Email Address Policies and you can open them in the Exchange Management Console. Please note that the examples mentioned above are pretty simple policies. If you have more complex policies please test this thoroughly. If you have any Mailbox Manager policies, these have to be removed.

Warning: if you happen to do this on Recipient Policies that have (advanced) LDAP queries, all custom filters can be reset to "mailnickname=*" which can result significant email outages. You have to test all these changes in a dedicated lab environment to see how these changes will affect your Exchange environment!

The Address Lists need to be converted to Exchange Server 2010 as well. To achieve this open an Exchange Management Shell and enter the following commands:

Mail flow settings

Before changing the actual SMTP mailflow we have to create a Send Connector first. This will allow the Hub Transport Server to send SMTP mail to the Internet directly. In the Exchange Management Console, navigate to the Organization Configuration and select the Hub Transport Server. In the Actions Pane select “New Send Connector…” and create a new SMTP connector to the Internet. Select * in the namespace (this will send all outbound messages go through this connector) and select the DNS or the Smarthost option, depending on your own situation.

By default the Receive Connector on the Exchange 2010 Hub Transport Server will not allow any anonymous connections. To change this open the Exchange Management Console, navigate to the Server Configuration and select the Hub Transport Server in the Results Pane. Right Click the default Receive Connector and select its properties. Select the Permissions tab and check the “anonymous” option to enable SMTP anonymous access.

Figure 2. Enable Anonymous access on the Default Receive Connector

Now that everything is in place, we can start moving the messaging services to Exchange Server 2010. Although there’s no hard requirement to start with the mail flow I’m going to start here. In the original configuration, mail from the Internet is delivered to the ISA 2006 Server and from there it is sent to the Exchange 2003 front-end server. We’ll change the ISA Server configuration so that SMTP mail is delivered to the Exchange Server 2010 Hub Transport Server. When a mailbox is still on Exchange Server 2003 the message is sent across the Interop Routing Group Connector from Exchange Server 2010 to Exchange Server 2003 where it is delivered to the intended Recipient. The Interop Routing Group Connector was created during setup of the Hub Transport Server as explained in the previous chapter. On the ISA 2006 Server open the ISA Server Management Console and navigate to the Firewall Policy. In the results pane select the SMTP rule and edit it so SMTP messages are delivered to the new Exchange 2010 Hub Transport Server.

Outbound SMTP traffic needs to be changed as well. In the original situation there was an SMTP connector from the Exchange Server 2003 Front-End Server towards the Internet. A new Send Connector on the Exchange Server 2010 Hub Transport Server needs to be created that will replace the old Exchange Server 2003 SMTP Connector.

Log on to the Exchange Server 2010 Hub Transport Server and open the Exchange Management Console. Navigate to the Organization Configuration and select the Hub Transport. In the Results Pane select the Send Connectors tab and select “New Send Connector” in the Actions Pane and follow the wizard to create a new Send Connector. In the Address Space windows select “*” as the address space to make sure all messages are routed through this connector. In the Network Settings window you have to select either to use DNS (the Hub Transport Server will send all messages to other hosts) or to use a smart host (the Hub Transport Server will forward all messages to this host which in turn will send it to all other hosts).

If the new Send Connector is working, the SMTP Connector on the Exchange Server 2003 Front-End Server can be removed. If removed, messages from Exchange Server 2003 mailboxes bound to the Internet go through the Interop Routing Group Connector to the Exchange Server 2010 Hub Transport Server and then through the Send Connector to the Internet.

Client Access Server

In the previous article regarding the upgrade from Exchange Server 2003 to Exchange Server 2010 I explained the different namespaces. On the Exchange Server 2010 Client Access Server there’s a certificate with the following names:

Webmail.inframan.nl

Autodiscover.inframan.nl

Legacy.inframan.nl

When an OWA client logs on to the Exchange Server 2010 Client Access Server and the particular mailbox is still on Exchange Server 2003 the client gets redirected to the Exchange Server 2003 front-end server. This server will have the legacy. Inframan.nl name, since two servers cannot have the same Fully Qualified Domain Name (webmail.inframan.nl).

The new certificate on the Exchange Server 2010 Client Access Server can be exported and imported on the Exchange Server 2003 Front-End Server. This way an error message will not be shown when a client gets redirected to the Exchange Server 2003 Front-End Server.

Note. The certificate needs to be imported on the ISA 2006 Server as well.

After importing the new certificate on the Exchange Server 2003 Front-End server and the ISA 2006 Server the clients continue working, but with the new certificate, so you’ll face only a small downtime (one minute) here when replacing the certificate.

Changing the ISA 2006 Server rules takes a bit more planning. Three new rules will be created:

Exchange 2010 OWA rule;

Exchange 2010 ActiveSync rule;

Exchange 2010 Outlook Anywhere and Autodiscover rule;

Do not Apply the changes to the ISA Server at this moment, but uncheck the ‘enable’ option on each rule to prevent immediate activation.

For the ‘old’ Exchange 2003 legacy environment three rules have to be created on the ISA 2006 Server as well:

Exchange 2003 OWA rule;

Exchange 2003 ActiveSync rule;

Exchange 2003 RPC over HTTP rule (this one can be combined with the previous rule however);

As with the Exchange 2010 do not apply these rules immediately, but uncheck the ‘enable’ option on every rule before applying these changes.

The Web Listener in ISA 2006 Server needs to be changed as well. Since a seamless experience for end-users is needed when the redirection occurs, the Single Sign-On option need to be enabled on the Web Listener.

Figure 3. Enable to single sign-on option for the coexistence phase

In the ISA Server Management Console open the properties of the Web Listener and navigate to the SSO tab. Add the .inframan.nl in the SSO domain, please note the leading dot.

When you have configured the above options it’s time to apply all changes in the ISA Server. Enable the 2010 firewall rules, enable the legacy Exchange 2003 rules and disable the old Exchange 2003 rules. All clients are now connected to the Exchange Server 2010 Client Access Server and when needed the clients are redirected to the Exchange Server 2003 Front-End Server.

If you want more information regarding the Client Access Server in the coexistence phase you can read more, including step-by-step instructions on the Microsoft Exchange Product Team blogs:

Move Mailboxes

Before moving the Mailboxes to Exchange 2010 new Mailbox Databases need to be created on the Exchange Server 2010 Mailbox Server. As calculated with the Storage Requirements Calculator (check Table 1 in the previous article) four databases are needed on the Exchange Server 2010 Mailbox Server. To create these open the Exchange Management Console and navigate to the Organization Configuration and select the Mailbox option. In the results pane select the Mailbox Database tab and in the Actions Pane select “New Mailbox Database…”. Create four new Mailbox Databases, named for example DB01 to DB04. Locate the Databases on drive F:\ and the accompanying log files on drive G:\. Moving mailboxes is the easiest part in transitioning from Exchange Server 2003 to Exchange Server 2010. The only thing you have to be aware of is the fact that you must initiate the move to Exchange Server 2010 from the Exchange Management Console (or Exchange Management Shell) and not from the Exchange 2003 System Manager.

When you open the Exchange Management Console on the Exchange Server 2010 Mailbox Server and you navigate to the Mailbox option under Recipient Configuration you see a list of mailboxes in the results pane. In the Recipient Type Details column you can see what kind of mailboxes there are. The “Legacy Mailbox” is still an Exchange 2003 Mailbox; a “User Mailbox” is an Exchange Server 2010 Mailbox.

To move a mailbox right click the mailbox and select “New Local Move Request…”. In the wizard that shows up you’ll see the mailbox(es) that you selected. Click the Browse button to select a Mailbox Database you want the mailboxes to move to.

The following window is about corrupted messages and what the move mailbox should do when corrupted messages are found. By default the migration of the mailbox is skipped when corrupt messages are found. When moving from older Exchange versions, like Exchange 2003 it happens that for example old calendar items are corrupt, causing the Mailbox Move to fail. You can increase this number to for example 1,000 to continue moving Mailboxes.

A configuration summary is shown, and when you click the New button the move mailbox starts. After some time, the move mailbox will be finished and the mailbox is on the new Exchange Server 2010 Mailbox Server.

It is also possible to use the Exchange Management Shell for moving mailboxes. It is also possible to create custom scripts which may be useful for larger and more complex environments.

Note: All Mailboxes will be spread across all four Mailbox Database that were created in the previous stop.

This will query the Exchange organization for all Exchange 2003 mailboxes and send the output of the query to the New-MoveRequest command. This will be queued on the server and processed in the background. After some time you can use the Get-MoveRequest command to view the status of the Move Requests:

Figure 4. The New-Move-Request and the status of the Move-Requests

When all of them are finished you can remove the completed Move Requests in the Exchange Management Console or in the Exchange Management Shell by entering the following command:

Get-MoveRequest | Remove-MoveRequest

Remove Public Folder database

When all mailboxes are moved to the Exchange Server 2010 Mailbox Server it’s time to remove the Public Folder Database from Exchange Server 2003. Since this Public Folder Database contains a replica of the Public Folder data the replica has to be moved to another server, in this case the Exchange Server 2010 Mailbox Server.

Logon to the Exchange Server 2003 server and open the Exchange System Manager. Navigate to the Exchange Server 2003 Mailbox Server, right click the Public Folder Database and select “Move All Replicas”. Select the Exchange Server 2010 Public Folder database in the drop down box and click OK.

A warning message is displayed that the Public Folder Replicas will be move to the other Public Folder Database and that this can take a considerable amount of time. I’ve seen situation where this took more than 24 hours to complete. Replication takes place using SMTP messages that are sent across the Interop Routing Group Connector to the Exchange Server 2010 Public Folder Database.

As can be seen in the warning message you can check the ‘Public Folders Instances’ folder under the Public Folder database to see if it’s empty. If it’s not and you want to delete the Public Folder Database another warning message is displayed that the Database cannot be deleted.

Figure 6. Deleting the Public Folder database is denied as long as there are Public Folders.

As can be seen in REF _Ref249414839 \h Figure 5 there are still Public Folders in the Database, therefore the Database cannot be removed and a warning message is displayed.

When all Public Folders are moved out of the Exchange Server 2003 Public Folder Database, it can be removed. The Mailbox Database can be removed at this time as well.

Move the Public Folder Hierarchy

The Public Folder tree itself should also be moved to the new Exchange Server 2007 Public Folder database. Logon to the Exchange Server 2003 server and open the Exchange Service Manager. Expand the Administrative Groups and right click the “Exchange Administrative Group (FYDIBOHF23SPDLT)”, select “New” and select “Public Folders Container”.

Then expand the old “First Administrative Group”, expand “Folders” and move the Public Folders tree to the Public Folders container you created in the previous step.

Remove the Interop Routing Group Connector

When the Public Folder Database and the Mailbox Database are removed, and you’ve double checked to ensure that no other clients are using the Exchange 2003 Front-End server as an SMTP relay, the Interop Routing Group Connector can be removed. This can only be done using the Exchange Management Shell on an Exchange Server 2010 server by using the following command:

Get-RoutingGroupConnector | Remove-RoutingGroupConnector

The Get-RoutingGroupConnector will return both Interop Routing Group Connectors (one from Exchange Server 2003 to Exchange Server 2010 and the other one vice versa) and this output will be used as input for the Remove-RoutingGroupConnector command.

Please make sure that absolutely no messages are remaining to be sent across the Interop Routing Group Connector before deletion!

Remove the Exchange Servers

Now that all services are not needed anymore on Exchange 2003 it’s time to remove the Exchange 2003 Front-End Server from our Exchange organization. Please use the Add/Remove Programs option in the server’s control panel to remove Exchange Server 2003. I’ve seen it several times that customers just turn off their Exchange 2003 Servers and start wondering why their environment became that unstable!

Please note that for uninstalling the Exchange 2003 Front-End Server you’ll need the installation media so keep this around.

The Recipient Update Service is the next to remove from the Exchange Server 2003 server. Open the Exchange System Manager and in the Recipients Container select the Recipients Update Service (domain). Right click this Recipient Update Service and select “Delete”. To remove the Enterprise Recipient Update Service it’s not possible to use the Exchange System Manager. To remove this you have to use ADSIEdit.

Open ADSIEdit and open the Configuration Container in Active Directory. Navigate to the

The Exchange 2003 Mailbox Server is the last Exchange 2003 server and is ready to be removed. As with the Front-End server please remove it using the Add/Remove Programs option in the server’s control panel.

Note: When you check Active Directory with ADSIEdit you’ll notice that the old Exchange Server 2003 Administrative Group is still present, although empty. Do not remove this Administrative Group unless you’re absolutely sure there’s no object in Active Directory referencing this Administrative Group in the ExchangeLegacyDN attribute. For more information please check this Microsoft knowledgebase article: http://support.microsoft.com/kb/945602 - Users who use Outlook 2003 cannot publish their free/busy data in Exchange Server 2007.

My personal opinion would be just to leave it there and not touch it. Nobody will see this Administrative Group and it will bother nothing else, so just don’t touch it.

More information regarding the removal of the last legacy Exchange Server can be found on the Microsoft website:

Jaap Wesselius is an independent consultant from The Netherlands focusing on (Microsoft) Business Productivity solutions with Microsoft Exchange, Lync and Office 365. Prior to becoming an independent consultant in 2006, Jaap worked for 8 years for Microsoft Services in The Netherlands, specializing in Exchange Server. Jaap has a Bsc in Applied Physics & Computer Science, is an MCSE, MCITP and MCT, and has consistently been awarded the Microsoft MVP Award (Exchange Server, eighth year now) for his contributions to the (Dutch) Exchange community. For his blog posts, you can visit www.jaapwesselius.com. If you'd like to get in touch, you can reach Jaap via email at Simple-Talk@jaapwesselius.nl, or follow him on twitter as @jaapwess.

I read through all of the upgrade notes but I am still very nervous that this is going to cause an issue. Currently we have Exchange 2003 SP2 Front End Server, Exchange 2003 SP2 Mailbox server, Bes 4.1, and a SharePoint 2007 Connector in Exchange.

I wanted to test the upgrade in a test environment but the problem we had is that when I converted one of our DC's to a VM and tried to install Exchange, Exchange complained because it couldnt replicate to our other 78 Domain Controllers. Add ing all of the domain controllers to the test environment is just not possible. Is there a better safe way to test all of this? I am going to take backups and images for all of the servers because performing the upgrade but I am still very nervous about doing it. Any extra input or gotcha's is appreciated.

I mentioned that I couldn't do the upgrade in a test VM environment because Exchange complained that it couldn't replicate settings to the other domain controllers. Is there a way to bypass this so I can just test everything on one Domain Controller?

Sounds line you need to clean up your AD test environment by transferring your FSMO roles (seizing really, since the current role holders cannot be contacted), remove the virtual dysfunct DCs and make your test DC a GC.You likely will need to clean up your DNS as well. Probably best to recreate the DNS zones for your AD, and use NetDiag -Fix to repopulate the zones with the current AD information.

Although my userid is in the "org management" group, many of the things I try in Exchange 2010 give me the error "Active directory respons: 00002098: SecEff: DSID-03150BB9, problem 4003 INSUFF_ACCESS_Rights), data 0"Inheritance seems to be in place and I have searched google looking for an answer but, cant figure this out.

Although my userid is in the "org management" group, many of the things I try in Exchange 2010 give me the error "Active directory respons: 00002098: SecEff: DSID-03150BB9, problem 4003 INSUFF_ACCESS_Rights), data 0"Inheritance seems to be in place and I have searched google looking for an answer but, cant figure this out.

Invoke-Command : Cannot bind parameter 'RecipientFilter' to the target. Exception setting "RecipientFilter": """ is not a valid operator. For a list of supported operators see the command help." RecipientType -eq 'PublicFolder' " at position 16."

Invoke-Command : Cannot bind parameter 'RecipientFilter' to the target. Exception setting "RecipientFilter": """ is not a valid operator. For a list of supported operators see the command help." RecipientType -eq 'PublicFolder' " at position 16."

Invoke-Command : Cannot bind parameter 'RecipientFilter' to the target. Exception setting "RecipientFilter": """ is not a valid operator. For a list of supported operators see the command help." RecipientType -eq 'PublicFolder' " at position 16."

Hi, first of all, this is a great article. I am running into an issue where in my test environment most of mailboxes will not actually move. I'm not too worried about correcting that issue as I believe it has to do with corruption during the creation of the test environment. What I am curious about is if I run into this issue in production, what is the process for exporting/importing the mailboxes from '03 to '10? From what I can tell, I have export the mailbox in 03, disable the mailbox in '10, create a new mailbox in '10 and then import the mailbox. Is that correct or is there another way to do it?

Pxpx and I are trying to migrate our public folders to our Exchange 2010 server. The move all replicas and public folder hierarchy have moved over successfully. However, as a test, we powered off our Exchange 2003 front-end server and the public folders become inaccessible. Any thoughts as to why that might be the case?

i was recieving the same error when running Set-AddressList “Public Folders” –RecipientFilter {RecipientType –eq “PublicFolder”} i just typed it in the command shell without copy/paste and it works fine

Very nice articles! I am using them currently to switch from Exchange 2003 to Exchange 2010 (single server).However, I am a bit stuck on 'Remove Public Folder database'. I initiated this process last sunday and now (thursday), it's still not finished... Is there a way I can verify it's actually doing something? Or speed it up in some way? 'Public folder instances' still has 4 folders in it, totalling about 600MB in size. It's been like this for at least 2 days now...

This is a well written article on upgrading to Exchange 2010. I have folllowed many white papers and i have to say this is probably one of the best i have seen. Thank you all for your valuable knowledge and willingness to share with others that dont have the budget to attend classes but yet is required to have the knowledge.

Under the heading "Move the Public Folder Hierarchy" in the very frist sentence you state "The Public Folder tree itself should also be moved to the new Exchange Server 2007 Public Folder database. Logon to the Exchange Server 2003 server and open the Exchange Service Manager."

Is this supposed to say Exchange Server 2010 instead of 2007 and if so, would the steps be the same?

Under the heading "Move the Public Folder Hierarchy" in the very frist sentence you state "The Public Folder tree itself should also be moved to the new Exchange Server 2007 Public Folder database. Logon to the Exchange Server 2003 server and open the Exchange Service Manager."

Is this supposed to say Exchange Server 2010 instead of 2007 and if so, would the steps be the same?

I believe the problem was the extra space in between the word Public and Folders. In the original text there are two spaces vs 1 in the corrected line. Also It seemed to like the single quote around the PublicFolder vs the double quote (the value at the end of the line).

Do you know if I can completely skip Public folder database during the upgrade from Exchange 2003 to 2010? That means in the new environment, I don't need it, I don't want it. Can it be deleted or removed completely without doing transfer of replicas?

I'm tryiong the Move Public Folders part of this article, and after I did the "Logon to the Exchange Server 2003 server and open the Exchange System Manager. Navigate to the Exchange Server 2003 Mailbox Server, right click the Public Folder Database and select “Move All Replicas”. Select the Exchange Server 2010 Public Folder database in the drop down box and click OK." and immediately all the items under the public folder store disappeared, and I see nothing on the exchange 2010 server. I did the 'move hierarchy' part as well, but still nothing. I ran into the same problem last time I tested the migration using the command line to move the public folders. So a) is there a way to find everything I lost? b) is there a way to undo this??

Thank you so much for the great tutorial. I checked against other threads. One thing I want to warn, do not use the /removeorg from either setup or update(command prompt) from the original media. If you do this, it will remove all of Exchange Servers in your AD and you'll be up the creek. Run Add/Remove from the Control Panel with the original media. This will only remove the server you want from AD. Just a heads-up and warning. I almost punched that button when I noticed in ADSI it would delete all Exchange Entries.